Closed alexpmorris closed 3 years ago
I believe I found the answer, so closing this ticket. It seems anyone can append(), but if the invalid feed is propagated to another node, it would reject the tampered feed in _verifyAndWrite()
-> _verifyRootsAndWrite()
, thus throwing the exception Remote signature could not be verified
.
Glad you found an answer! For future reference, it might be good to post issues related to hypercore's internals to the hypercore repo
I recently did a test changing feed.secretKey after a few calls to
feed.append()
, then calledfeed.append()
again. I expected the call to fail. However, it went through without a problem. If I manually calledfeed.verify()
after that, only then did I receive a "Signature verification failed" error:There was no replication or persistence with this test feed, so maybe that's part of the problem, as I don't expect it would be that easy to potentially corrupt a propagated feed.
But it also seems that by default, performing this sort of action using a key that doesn't match prior transactions should throw an error.
Appreciate any additional insight on this issue.